The Linux Programming Interface

(nextflipdebug5) #1

320 Chapter 17


springing from the incompleteness of the draft standards), writing portable pro-
grams that use ACLs presents some difficulties.
This chapter provides a description of ACLs and a brief tutorial on their use. It
also describes some of the library functions used for manipulating and retrieving
ACLs. We won’t go into detail on all of these functions because there are so many
of them. (For the details, see the manual pages.)

17.1 Overview


An ACL is a series of ACL entries, each of which defines the file permissions for an
individual user or group of users (see Figure 17-1).

Figure 17-1: An access control list

ACL entries
Each ACL entry consists of the following parts:

z a tag type, which indicates whether this entry applies to a user, to a group, or to
some other category of user;
z an optional tag qualifier, which identifies a specific user or group (i.e., a user ID
or a group ID); and
z a permission set, which specifies the permissions (read, write, and execute) that
are granted by the entry.

The tag type has one of the following values:
ACL_USER_OBJ
This entry specifies the permissions granted to the file owner. Each ACL
contains exactly one ACL_USER_OBJ entry. This entry corresponds to the tradi-
tional file owner (user) permissions.
ACL_USER
This entry specifies the permissions granted to the user identified by the
tag qualifier. An ACL may contain zero or more ACL_USER entries, but at
most one ACL_USER entry may be defined for a particular user.

Tag type Tag qualifier Permissions
ACL_USER_OBJ - rwx

ACL_GROUP_OBJ - rwx

ACL_GROUP 103 -w-
ACL_GROUP 109 --x

ACL_USER 1007 r--
ACL_USER 1010 rwx

ACL_MASK - rw-
ACL_OTHER - r--

ACL_GROUP 102 r--

Corresponds to
traditional owner
(user) permissions

Corresponds to
traditional group
permissions

Corresponds to
traditional other
permissions

Group
class
entries
Free download pdf